The resolve plugin only writes directly to resolv.conf if resolvconf is
not available (see
https://docs.strongswan.org/docs/5.9/plugins/resolve.html for details).
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
Looks like your kernel is missing required modules (xfrm_user etc.) or
they were not automatically loaded.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1948044
Title:
charon-systemd fails on
> Note: I can't see the libtss2-esys runtime dependency that Tobias
mentioned. @Tobias: is this expected, or am I missing some other flag?
Yes, that's correct. The configure script checks for both tss2-sys and
tss2-esys, but eventually, only tss2-sys is used (possible that Andreas
intended to
> However this is not something like a separate module: support for TSS2
is builtin in the strongswan tools.
Correct, it's just part of libtpmtss.
> I didn't check but I imagine this requires a libtss2-* runtime dep.
Yes, libtss2-esys0 will be required (libtss2-esys-3.0.2-0 for Hirsute
and
> The stable Ubuntu releases are "feature frozen", which means that it
is unlikely TSS2 will be enabled in Focal (exceptions are possible, but
a very compelling reason is needed).
Is it a new feature, though? Couldn't it be considered a necessary fix
to actually make the already shipped tpm
> what is --enable-tpm option exactly?
It's a plugin in libtpmtss that implements interfaces to provide
certificates, private keys and random numbers from a TPM 2.0 to the IKE
daemon.
> Does it work without --enable-tss-trousers and --enable-tss-tss2?
No, it requires a TSS implementation, in
--enable-tss-trousers is missing too, so TPM 1.2 support isn't available
either. Which makes enabling the tpm plugin completely useless.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1940079
Title:
As you can see in the log, you receive two IP addresses, but the remote
traffic selector is IPv4 only:
Nov 20 14:32:11 XX-ThinkPad-T500 charon-nm[2427]: 14[IKE] installing new
virtual IP X.X.88.100
...
Nov 20 14:32:11 XX-ThinkPad-T500 charon-nm[2427]: 14[IKE] installing new
virtual IP
That error doesn't seem related (looks more like something the bypass-
lan plugin would log). So please post the complete log.
Also, your manual config creates two CHILD_SAs, one for each family.
That's not how the NM plugin operates. It assumes the responder is able
to narrow the traffic
Yeah, I think disabling strongswan.service should be enough. If you
want to make sure, uninstall the strongswan-starter package (unless you
need the pool utility, which is contained in that package for some
reason).
--
You received this bug notification because you are a member of Ubuntu
Bugs,
In 18.04, strongswan.service is the legacy systemd unit that controls
starter/charon and loads configuration from ipsec.conf. The strongswan-
swanctl.service unit instead controls the charon-system daemon and is
configured via swanctl.conf, which the unit loads via `swanctl --load-
all`
@Christian Re: rm_conffile, I don't think this is a config file issue
(or is this command also used to remove shared libs/plugins? If so, then
definitely make sure to remove old plugins). The config snippets in
strongswan.d/charon are actually not relevant for charon-nm by default
(charon-nm uses
EAP-PEAP (Protected EAP) is one of those protocols that nobody wants to
use (there are nicer, more modern alternatives) but lots of people have
to because it's what Microsoft implements. It's often used in
combination with EAP-MSCHAPv2 to authenticate e.g. WiFi clients (the TLS
connection in
That file is not relevant for swanctl (unless it was manually included,
check the main strongswan.conf file). Check the output of `swanctl
--help` (lists the plugins), use strace to see when exactly that access
happens.
--
You received this bug notification because you are a member of Ubuntu
There are only three components in strongSwan that open TUN devices,
charon-xpc (on macOS), the kernel-pfroute plugin (also not on Linux but
macOS and *BSD) and kernel-libipsec, as pointed out by Simon. However,
swanctl has no business loading kernel plugins (it doesn't by default),
as it is no
Enabling the bliss Plugin is probably not such a good idea. There is a
potential local side-channel attack on strongSwan's BLISS implementation
(https://eprint.iacr.org/2017/505).
The ntru plugin should be fine. However, using NTRU with IKEv2 is not
standardized (uses an algorithm identifiers
It's unlikely that this is a strongSwan issue as IPsec is handled by the
Linux kernel. It's more likely a kernel bug related to that particular
architecture.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
*** This bug is a duplicate of bug 1795653 ***
https://bugs.launchpad.net/bugs/1795653
** This bug has been marked a duplicate of bug 1795653
87cdf3148b11 was never backported to 4.15
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to
Why shouldn't it work in a container? (Granted, I don't know LXD, but
strongSwan runs fine in network namespaces and stuff like Docker.)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1780534
Title:
> To clear this up, it'd be nice if the interface made it clear that the
username field is unused
It is not, it defines the identity of the client (i.e. the local
identity).
> and the password field is the place for the PSK in PSK mode.
The tooltip of that field mentions PSKs (in particular the
> Our Cisco Meraki appliance is expecting both a PSK to with the server,
and a username and password for individual client auth.
I guess you are referring to IKEv1 XAuth/PSK. The strongSwan
NetworkManager plugin does not support this. It only supports IKEv2
(where EAP can be used for
You don't have a Password field?
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1697536
Title:
nm strongswan gui doesn't have a way to enter pre-shared key
To manage notifications about this bug go
> Which means I can't even use the command-line version of StrongSwan
because the "political decision" is baked into the VPN daemon.
That's definitely not true. IKEv1 and PSKs (of arbitrary length) are
supported by the command line version of strongSwan.
--
You received this bug notification
> It's not even clear if the code supports IKEv1 via the GUI.
It doesn't and it's not likely that it ever will.
By your own admission, what you (or your admins) are doing isn't a good
idea. So you might want to rethink your setup.
--
You received this bug notification because you are a member
I've seen this in some Travis CI runs of our test suite. There
occasionally seems to be a lockup (not sure if it is an actual
deadlock). But I was never able to reproduce it. Is it possible to get a
backtrace when the test hangs and gets killed by the builder? Or logon
to the build host and attach
Hi Corey,
FYI, I pushed a couple of commits ([1], [2]) that address this to master
so they will be included in our next release.
Regards,
Tobias
[1] https://git.strongswan.org/?p=strongswan.git;a=commitdiff;h=f4a20b74
[2] https://git.strongswan.org/?p=strongswan.git;a=commitdiff;h=f1064ca5
--
Hi Corey,
> 1. Call "resolvconf --disable-updates"
> 2. Call resolvconf the way it is currently in
> invoke_resolveconf(). This has the effect of installing or
> deleting the interface without running the update script, and
> the exit code returned by
Ah, there was an update to NM 1.1. Then the patches Sebastien referred to will
probably be required (at least some of them). In the strongSwan repository
(https://git.strongswan.org/?p=strongswan.git) you'll find these fixes in the
nm-1.2 branch (not yet finished, see
>> i think the kernel-libipsec plugin should not be loaded by default
>>
>> the plugin works only with UDP encapsulated packets
>>
>> (look here: https://wiki.strongswan.org/projects/strongswan/wiki/Kernel-
>> libipsec)
>>
>> and this will break most of the "normal"/LAN setups
>>
>
> The
>> i think the kernel-libipsec plugin should not be loaded by default
>>
>> the plugin works only with UDP encapsulated packets
>>
>> (look here: https://wiki.strongswan.org/projects/strongswan/wiki/Kernel-
>> libipsec)
>>
>> and this will break most of the "normal"/LAN setups
>>
>
> The
strongSwan's NM plugin only supports IKEv2. IKEv1 and in particular L2TP
are not supported by that GUI (they could be configured via config files
though).
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
Thanks for the example config.
The client will encode the identity as FQDN and the server is forced to
encode it as keyid (the content will be the same but the type is
different). So there won't be a match. Looking at the screenshot I'm not
sure how to configure a FQDN in the pfSense GUI, perhaps
Thanks for the example config.
The client will encode the identity as FQDN and the server is forced to
encode it as keyid (the content will be the same but the type is
different). So there won't be a match. Looking at the screenshot I'm not
sure how to configure a FQDN in the pfSense GUI, perhaps
The current version of Strongswan (5.1.2) does not work with newer versions
of pfSense (Strongswan 5.3.2 based).
When using IPsec IKEv2/PSK the identity type is now prefixed leftid and
rightid for better matching.
Hm, could you elaborate on that? For instance, provide example configs?
At a
The current version of Strongswan (5.1.2) does not work with newer versions
of pfSense (Strongswan 5.3.2 based).
When using IPsec IKEv2/PSK the identity type is now prefixed leftid and
rightid for better matching.
Hm, could you elaborate on that? For instance, provide example configs?
At a
Your connection fails because you haven't checked the Request an inner
IP address checkbox but configured an IP address pool in
`rightsourceip` on the server (which is required if your client is
behind a NAT). So change your connection settings so a virtual IP is
requested from the server.
While debian/strongswan-plugin-kernel-libipsec.install lists
usr/lib/ipsec/plugins/libstrongswan-kernel-libipsec.so the strongswan-
plugin-kernel-libipsec package does not actually include that file.
The reason for this is how dh_install is called in debian/rules, due to
the
While debian/strongswan-plugin-kernel-libipsec.install lists
usr/lib/ipsec/plugins/libstrongswan-kernel-libipsec.so the strongswan-
plugin-kernel-libipsec package does not actually include that file.
The reason for this is how dh_install is called in debian/rules, due to
the
** Changed in: strongswan (Ubuntu)
Status: New = Fix Committed
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1206263
Title:
/usr/sbin/ipsec is missing a lot of docs
To manage notifications
Man pages for the pki tool and its subcommands have been committed to
the master branch and will be available with the next release (5.1.1).
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1206263
*** This bug is a duplicate of bug 872824 ***
https://bugs.launchpad.net/bugs/872824
** This bug has been marked a duplicate of bug 872824
Network-manager locks up when adding strongSwan VPN connection
--
You received this bug notification because you are a member of Ubuntu
Bugs, which
** Description changed:
I'm having issue's getting strongswan to work on Ubuntu. First of all, I
find it quite weird that ipsec is not capable of running as an
unprivileged user (like in Gentoo). But I guess this has something todo
with the fact that Ubuntu distributes binary packages.
Is this perhaps related to http://askubuntu.com/questions/30115/root-
cannot-access-dev-urandom?
Does it work if you use
$ sudo ipsec start
$ sudo ipsec up remote
instead of running these commands from a root shell?
--
You received this bug notification because you are a member of Ubuntu
*** This bug is a duplicate of bug 711606 ***
https://bugs.launchpad.net/bugs/711606
** This bug has been marked a duplicate of bug 711606
package strongswan-starter 4.3.2-1.1ubuntu1 failed to install/upgrade:
underprocess installerade post-installation-skript gav felkod 1
--
You
*** This bug is a duplicate of bug 711606 ***
https://bugs.launchpad.net/bugs/711606
Thank you for taking the time to report this bug and helping to make
Ubuntu better. This particular bug has already been reported and is a
duplicate of bug 711606, so it is being marked as such. Please look
*** This bug is a duplicate of bug 711606 ***
https://bugs.launchpad.net/bugs/711606
Thank you for taking the time to report this bug and helping to make
Ubuntu better. This particular bug has already been reported and is a
duplicate of bug 711606, so it is being marked as such. Please look
Hi Kees,
the attached patch (also committed to master [1]) fixes the keeps
adding entries for the same connection problem. This happens when only
one of the daemons is installed (strongswan-ikev1 or strongswan-ikev2)
but both are enabled in ipsec.conf. With the patch starter now verifies
that
Hi Kees,
first, I can't really reproduce the it keeps adding entries for the
same connection part. Not sure what that might be cause by. Could you
post the full logs here?
Then about your configs. The left-/rightsourceip options are not really
intended for what you are using them for. What's
** Changed in: strongswan (Ubuntu)
Status: Confirmed = Fix Committed
--
pluto crashes with segfault
https://bugs.launchpad.net/bugs/664371
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
--
ubuntu-bugs mailing list
Great.
Could you try the attached patch (after reverting the previous one).
This should fix the root cause of the problem.
** Patch added: 0001-pluto-Fixed-a-regression-introduced-in-f565d0c575.patch
Hi Rene,
Is there any chance of this being exploitable other than by causing
a DoS based on admin-created configuration?
No. As far as I can see, this only happens if multiple certificates are
stored with the same ID on one smartcard. That's the only case the
added certificate object is
I think this has been fixed upstream:
http://wiki.strongswan.org/issues/116
http://git.strongswan.org/?p=strongswan.git;a=commit;h=4de8398f
** Changed in: strongswan (Ubuntu)
Status: New = Fix Committed
--
pluto crashes with segfault
https://bugs.launchpad.net/bugs/664371
You received
Thanks for the backtrace. It is indeed a different bug.
From the backtrace it looks like the list of certificates somehow gets
corrupted.
Could you attach the log output with plutodebug=all set in ipsec.conf.
** Changed in: strongswan (Ubuntu)
Status: Fix Committed = Confirmed
--
pluto
Thanks.
The cause of this segfault seems to be how pluto handles the storage of
two certificates with the same ID.
From your log:
| found cert in slot: 1 with id: 46, label: 'Verschluesselungs Zertifikat 1'
...
| found cert in slot: 1 with id: 46, label: 'Telesec Verschluesselungs
Zertifikat'
** Patch added: dont_free_cert_if_equal.patch
https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/664371/+attachment/1705165/+files/dont_free_cert_if_equal.patch
--
pluto crashes with segfault
https://bugs.launchpad.net/bugs/664371
You received this bug notification because you are a
** Changed in: strongswan (Ubuntu)
Status: New = Fix Released
--
strongswan's charon crashes shortly after authentication
https://bugs.launchpad.net/bugs/574664
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
--
ubuntu-bugs
** Changed in: strongswan (Ubuntu)
Status: New = Invalid
--
Problem with installation
https://bugs.launchpad.net/bugs/351616
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
--
ubuntu-bugs mailing list
57 matches
Mail list logo